Four easy-to-remember passwords that will protect you for life

The recent security breach at the beloved online storage service, Dropbox, has reminded us of the weakness of the Web. Founded in 2007 Dropbox uses cloud computing to allow us to store all kinds of large files on the Web, and across a variety of operating systems, that are then easily shared with others. For about four hours on June 19 anyone could get access to any account with a dummy password. As a fellow journalist John Pavlus, who also uses Dropbox, noted, "It was like our skirt got lifted for hours."

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

This is a serious issue for Dropbox—a company valued at $1.5 to $2 billion—since trust is the number one value they offer over their competition. Until we hear more about the "additional safeguards" they intend to implement it does give us pause about our chosen passwords.

I use the same series of numbers and letters but I mix them up (upper case, lower case, order, creating what I think is a near limitless variety) for different sites, banking, discount shopping, online publications, airlines, etc. I thought I was being smart. And I have been a bit smart, since I technically don't use the exact same password for sites, and I change them up regularly.

But there is a better way. A simple way. According to Christopher Mims at MIT's Tech Review, create only four passwords and use them in a tiered system.

Here they are:
Low-tier password: Something you may already be using that is so easy that it might as well be your middle name. Use this for sites you don't care about like commenting sites for online magazines or music streaming sites. If you get hacked the worst that can happen is that your username suddenly likes the band Toto.

Second-tier password: "For sites on which you don't want to be impersonated (Twitter, Facebook, etc.)," says Mims. Here you need something longer (as long as you are comfortable recalling) and use at least one special character, especially inserting it into the middle, not at either end. Never use what is called a "dictionary password" (any real word) since that is a classic tactic hackers use to break into sites.

Third-tier password: This is for email accounts. (I would recommend for your cell phone as well.) It needs to be unique, long and interspersed with special characters. Your email account is where you might hold information about your other passwords, so it must be highly guarded. It is like the "master key" of passwords.

Fourth-tier password: The gold standard of passwords should be given for your bank and financial information. And this password should be unique for your banking, nothing else.

So we don't need to have 30+ passwords memorized, or worse documented in email or on scraps of paper, we just need four—or at least three—that are tiered for importance and security.

As for tips on creating a vice-like, gold standard password I suggest reading this post on the worst passwords of all time, and avoid them. Even a cryptic string like "abgrtyu" is on the list, so be wary. The hard part is following the paradoxical mantra of password creation: Easy to remember, hard to guess. Uh, ok. Once you've mastered that statement, try measuring your password strength using this useful Microsoft test. I used to get angry and hurt when my passwords were noted as "weak" as if it were a personal affront. Now I know it can be part of an entire strategy of protection.